How U.S. authorities tracked down the administrator of a bitcoin-funded child exploitation website
The United States' Department of Justice (DOJ) revealed how it had followed a trail of bitcoin transactions to find the suspected administrator of the site: A 23-year-old South Korean man named Jong Woo Son. (CNN)
Julia Hollingsworth, CNN
Published Monday, October 21, 2019 11:23AM EDT
For almost three years, "Welcome To Video" was a covert den for people who traded in clips of children being sexually assaulted.
There, on the darknet's largest-known site of child exploitation videos, hundreds of users from around the world accessed material that showed the sexual abuse of children as young as six months old.
Then it all began to unravel.
On Wednesday, the United States' Department of Justice (DOJ) revealed how it had followed a trail of bitcoin transactions to find the suspected administrator of the site: A 23-year-old South Korean man named Jong Woo Son.
But the case is much bigger than just one man. Over the almost three years that the site was online, users downloaded files more than one million times, according to a newly unsealed DOJ indictment. At least 23 children in the US, Spain and the United Kingdom who were being abused by the users of the site have been rescued, the DOJ said in a press release.
"Children around the world are safer because of the actions taken by US and foreign law enforcement to prosecute this case and recover funds for victims," said Jessie K. Liu, an attorney for District of Columbia where the US case was filed. "We will continue to pursue such criminals on and off the darknet in the United States and abroad, to ensure they receive the punishment their terrible crimes deserve."
In total, 337 people from at least 18 countries who used Welcome To Video have been arrested and charged, the DOJ said. And in a statement Thursday, South Korea's National Police Agency (NPA) said 223 of them were South Korean.
Many Welcome To Video users likely thought they were untraceable.
The site was on the darknet, the underbelly of the deep web which cannot be accessed by a regular browser. According to authorities, some customers paid for the explicit images of child sexual abuse in bitcoin, a digital currency that can be spent without users disclosing their true identity.
But the downfall of Welcome To Video shows that bitcoin isn't as private as some cybercriminals might have thought.
What was Welcome To Video
According to the indictment released Wednesday by the DOJ, Welcome to Video began operating around June 2015.
The site worked like this: anyone could create a free account. Authorities say users could download the videos if they paid in bitcoin, or if they earned points by referring new customers, or uploading their own videos. According to the indictment, the upload page on Welcome To Video stated: "Do not upload adult porn."
At the time, bitcoin still wasn't a widely used payment method. The non-profit Internet Watch Foundation, which works to remove images and videos of child sexual abuse from the web, found that some of the most prolific commercial child sexual abuse sites first started accepting bitcoin as payment in 2014. According to the DOJ, Welcome To Video was "among the first of its kind to monetize child exploitation videos using bitcoin."
Bitcoin can be attractive for people hoping to slip under the radar. Bitcoin is decentralized, meaning there is no company or official bank which oversees transactions. Users store their bitcoin in a virtual account -- known as a digital wallet -- without having to prove their real identity, as they might for a regular brick-and-mortar bank.
From about June 2015 to March 2018, Welcome To Video received at least 420 bitcoin through 7,300 transactions with users in numerous countries including the US, the UK and South Korea, the indictment released Wednesday shows. Those transactions were worth over $370,000 at the time.
Some of those transactions would ultimately help bring about the site's collapse.
How authorities brought down Welcome To Video
To get on the site at all, users had to have special software.
Because Welcome To Video was hosted on the darknet, it couldn't be accessed by browsers like Google Chrome or Safari. Users needed to download software -- such as Tor -- that concealed their Internet Protocol address (IP address), a unique number assigned to every device connected to the internet.
But in September 2017, authorities did something simple, according to the indictment: they right-clicked on Welcome To Video's homepage and selected "view page source."
When they did that, they discovered an unconcealed IP address. That IP address and another found in the same way October 2017 were both traced to a residential address in South Korea -- Son's alleged home.
At the same time, US investigators were carrying out an undercover operation. Once in September 2017 and twice in February 2018, an undercover agent sent bitcoin to an account provided by Welcome To Video.
Each time, the funds were later transferred into another bitcoin account -- in Son's name, and registered using Son's phone number and email, US authorities alleged in the indictment.
In March 2018, authorities searched Son's house and found the server for Welcome To Video was hosted in Son's bedroom. Authorities also seized eight terabytes containing 250,000 sexual assault videos. In total, 45% of the videos analyzed by the National Center for Missing and Exploited Children contained images not "previously known to exist."
From there, authorities were able to track down other suspects. "(This case) involved a lot of cooperation between a lots of different people," said Urszula McCormack, a partner at the King and Wood Mallesons law firm in Hong Kong who specializes in blockchain, the technology behind bitcoin. "Often it's those weak links that expose the whole."
Data from the server was shared with law enforcement officials around the world, who used it to track down and prosecute customers of the site in 18 countries, according to a DOJ statement.
In March 2018, Son was arrested in South Korea, and found guilty of producing and distributing child pornography, a charge that carries a possible 10 year jail term under South Korean law. In May this year, he was sentenced to 18 months in jail, South Korea's NPA said.
But Son could still face more prison time.
In August of last year, Son was indicted on a number of child pornography charges in the US, including advertising child pornography which carries a possible 30 year sentence.
In order for him to face those charges, Son would need to be extradited to the US -- which has an extradition treaty with South Korea. He could be arrested if he travels there of his own accord. One of the reasons the US is interested in prosecuting Son is that the content was accessed in the country.
CNN has reached out to the DOJ to ask if they will request an extradition. South Korean police told CNN they haven't received an extradition request from the US -- and while he's in prison, Son cannot be affected by the US indictment.
The flaws in bitcoin
While bitcoin has a reputation among the general public for secrecy, the reality is a bit different.
Each time bitcoin is transferred, details of the trade are recorded on a publicly available, permanent ledger, said Yihao Lim, a senior analyst from cybersecurity firm FireEye. It's therefore possible to see what an individual is doing, even you can't see their real world identity.
There are other holes in bitcoin's ability to maintain anonymity. In the US, virtual currency exchanges -- the platforms where people can buy and sell bitcoin for real money -- are required by law to verify their customers' real world identities. Developed countries are increasingly adopting those measures.
This all means that bitcoin isn't really anonymous -- it's pseudonymous. For law enforcement agents, the difficulty isn't seeing the transactions -- it's linking the bitcoin account with the real world person behind them, said Lim.
There are ways for bitcoin users to stay under the radar. But in general, authorities are catching up.
Over the past year, tools that can analyze bitcoin transactions have developed to a high level, said McCormack, from the Hong Kong law firm. "People (in the past) weren't aware that this was a possibility. I think many people these days are not aware of the sophistication of those tools and how much they're able to glean from patterns," she said.
Lim said it was a public misunderstanding that using bitcoin was secure. "Yes, they have been successful at being anonymous at the start, but law enforcement has already caught up."
What happens now
Despite bitcoin's security gaps, some inexperienced cybercriminals will probably keep using it, said Lim. After all, this isn't the first high-profile case where bitcoin has helped bring down a suspect. During the 2015 trial of the creator of the Silk Road site -- a digital marketplace that allowed users to illegally trade drugs -- prosecutors showed that they had traced millions of dollars in bitcoin to the founder's personal laptop.
"Many cybercriminals are still misinformed," Lim said of the criminal underworld. "They're just out there to make a quick buck -- they didn't do their homework enough."
As for seasoned cybercriminals, many had already switched to other cryptocurrencies, Lim said.
But people who have used bitcoin in the past could be tracked down at any point. Because the public ledger which records bitcoin transactions is immutable, there's no way to remove evidence of past dealings. When it comes to the Welcome To Video case, Lim expects more people connected with the site to be caught.
In a second court document released Wednesday, US authorities argued that 24 bitcoin accounts should be forfeited to authorities, alleging that they were used "to fund the website and promote the exploitation of children." Some of the accounts were also used to make transactions on other darknet sites, including Silk Road and Evolution where users can buy drugs and stolen information.
In the press release Wednesday, the DOJ said it planned to recover the illicit funds and return them to the victims of the crime.
"Children are our most vulnerable population, and crimes such as these unthinkable," said Homeland Security Investigations' acting executive associate director Alysa Erichs in a statement. "(The) indictment sends a strong message to criminals that, no matter how sophisticated the technology or how widespread the network, child exploitation will not be tolerated in the United States.
"Our entire justice system will stop at nothing to prevent these heinous crimes, safeguard our children, and bring justice to all."
How to get help: in the US, contact RAINN by calling their national, 24/7 sexual assault hotline on +1 800 656 4673 or chat with a staff member on their website. In the UK, call the National Society for the Prevention of Cruelty to Children on 0800 808 5000 or visit their website. More resources for protecting children from sexual abuse can be found on Darkness to Light.